Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

Hardening a large distributed environment : What order should restricted ssl/tls cipher config and certificates be deployed?

1

I'm trying to figure out the change order that I need to sucessfully implement ssl + certs across almost everything (forwarders, search head clusters, idx clusters, deployers, deployment server, cluster masters). The exception to this is uncontrolled upstream customer uf's.

I've tried one of my test machines and as soon as I enabled some of the recommended post spoodle | heartbleed cipher settings it broke its instantly with numerous handshake errors to every machine. This leads me to trying to find documentation regarding the best way to start.

This link shows the large number of potential areas that can break when enabling but doesn't show what order I should do them in so that data is STILL forwarded and is still searchable with minimal down time. Stopping every single instance to do this isn't an option.

The other thing is that we have client universal forwarders that forward traffic to intermediate UF's which then send this data to our forwarders. As we have no control over those we would still need to support non-ssl & insecure ssl ciphers When traffic is transferred internally it needs to be ssl.

I'm thinking the order might be something like :

deployment server

forwarders

search heads - standalone

search head cluster - deployer & search head cluster - members

indexes - standalone

index cluster - members & index cluster - master

The problem I have is that even when you configure limited ciphers on a particular box AND the other machine it is communicating to still have all of them configured it seems to break.

Every time the issue has been raised with the client i've run through the process of trying to do it and found that at each stage something is a show stopper. In a large distributed installation with many 3rd party managed uf's in use enabling SSL on certain machines stops traffic being indexed when it shouldn't. Really confusing.

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here. Closing this box indicates that you accept our Cookie Policy.